UniPass is a local-first, zero-knowledge password manager. By design we do everything we can to minimize the data we can see — because data we can see is data that can leak.
- Local-first: vault data is encrypted on your device with AES-256-GCM before it ever leaves.
- Sync is optional: off by default; when enabled, only end-to-end encrypted ciphertext is uploaded. We have no keys and cannot decrypt it.
- Zero telemetry: no usage analytics, crash reporting, or behavioral tracking.
- We don't sell data, run ads, or profile you.
What we collect
Without cloud sync (local mode)
Nothing. Your master password, vault contents, Secret Key, device identifiers, and IP address never leave your device. The only outbound request is optional favicon fetching (see below).
With cloud sync enabled
Only the following is uploaded to our sync server:
| Category | Uploaded? | Notes |
|---|---|---|
| Master password | No | Never leaves the device; the server only sees an Argon2id-derived auth hash (irreversible). |
| Vault records (logins, notes, cards, etc.) | Ciphertext only | Opaque AES-256-GCM blobs; the server has no key to decrypt them. |
| Secret Key (recovery code) | No | Generated at sign-up, stored only in the device Keychain. |
| Sync metadata | Yes | Account email, device name/type, sync timestamps, record version numbers. |
| Usage analytics / telemetry | No | No analytics SDKs integrated (no Sentry / Firebase / GA / Mixpanel). |
| Crash reports | No | No crash reporting integrated. |
| Client IP | Transient | Kept only in web access logs as operationally needed; not written to the user database. |
| Favicons | See below | Fetched on demand from the target site's public favicon; requests carry no vault content. |
We never upload your master password or any derived key, plaintext vault content, or your browser history, clipboard, or filenames.
Enabling cloud sync is an explicit action — you must enter a server URL and confirm under Settings → Cloud Sync in the desktop app.
The browser extension
The Chrome extension is a companion to the desktop app. It detects login forms and fills credentials only when you act on a page. Credentials travel only between the extension and the local desktop app via your operating system's Native Messaging channel — never over the network to us. The extension contains no analytics and sends no browsing data anywhere.
Third-party services
- Favicon fetching: when you save an entry with a URL, UniPass requests that site's public favicon. The request contains no vault content and can be disabled in settings.
- Sync server (only if you enable sync): a server operated by the UniPass team, reached over HTTPS + WebSocket, exchanging only ciphertext and sync metadata.
UniPass communicates with no other third-party services.
Where data is stored
All local data lives in the standard OS user-data directory:
- macOS:
~/Library/Application Support/io.loxnet.unipass/
The database is encrypted with SQLCipher using a key derived from your master password. OS file permissions (0600) prevent other users from reading it.
Data deletion
- A single record: moved to Trash, permanently deleted after 30 days, or removed immediately by you.
- Your entire local vault: uninstall UniPass or delete
~/Library/Application Support/io.loxnet.unipass/to remove all local data. - Server data: revoke a device or delete your account under Settings → Cloud Sync; deletion clears the server-side ciphertext and sync metadata. Uninstalling the client does not automatically delete server data.
Children's privacy
UniPass is not directed to children under 13 and does not knowingly collect personal data from minors.
Changes
Revisions to this policy are announced in the project's release notes. Material changes will be communicated to users in advance.
Contact
- Privacy enquiries: privacy@unipass.loxnet.io
- Security disclosure: security@unipass.loxnet.io (see our Security page)